Mac's Biggest Threats Lurk in the Apple App Store

Mac malware is on the rise, especially adware and potentially unwanted programs in the App Store.

Apple Mac devices, while largely considered safer than their Windows and Android counterparts, are vulnerable to a growing number of malicious applications.

More Mac malware was seen in Q2 than the entirety of 2016, report researchers at Malwarebytes, which today published a report on Mac and Android threats. Mac malware families hit an all-time high in 2017, with more appearing this year than any previous year.

"Mac users typically think they're safe, that Macs don't get viruses, and they're being proven increasingly wrong," says Thomas Reed, director of Mac and mobile for Malwarebytes. "The number is much smaller than on Windows, but this is a very concerning trend we're seeing on the Mac," he adds.

Christiaan Beek, lead scientist and principal engineer for McAfee, agrees Mac malware has increased overall but that trends tend to shift as Apple catches and addresses threats.

"With Mac malware, it goes up and down," Beek says. "Apple's really good at catching malicious apps in their stores … if it's discovered, it's quickly discovered and quickly solved."

Beware of the App Store

Threats like ransomware are still rare on Macs, researchers report. The most significant problems are adware and potentially unwanted programs (PUPs), which began to ramp up in 2013 and have been multiplying since. Despite vetting processes and safety settings, the App Store is not immune to malicious applications.

"If you go into the Mac App Store and search for adware and antivirus, most stuff you find will be junk software that doesn't do what it claims to do," says Reed. "The primary goal is to get the user to purchase an app or service they really don't need and doesn't fulfill the promises it makes."

He cites the example of Proton, a remote access Trojan (RAT) targeting macOS in 2016. Proton is a backdoor developed to exfiltrate password data from sources including macOS keychain, 1Password vaults, and browser auto-fill data. Users were hit with the RAT when they downloaded open-source video conversion tool HandBrake.

The emergence of Proton, which affected consumers and experts alike, was a wake-up call for Mac users to be careful about what they download.

PUPs are difficult to handle because "it's like malware with lawyers," says Reed. There are companies behind the malicious apps on the App Store, he explains, and detecting PUPs can lead to complicated legal matters with businesses developing the software.

"Apple has its own built-in antimalware features, but they don't seem to want to poke at PUPs and adware until they really cross the line," he adds. For example, Apple blocked a form of Genio adware when it used a system vuln to download browser extensions on victims' computers.

Who are the Mac attackers?

While the amount of Mac malware is "a drop in the bucket" compared with Windows threats, as Reed says, it's worth taking a closer look at who might be targeting Mac devices and why.

"Honestly, it takes time to write a nice piece of malware for Mac," says Beek, adding that most cybercriminals prioritize mass distribution and quick, fast cash. "Mac is still not their interest," he adds. Mac exploits are also expensive, selling for up to $40K on the Dark Web.

Threat actors who target Macs likely aren't looking for money, he continues, but user data or access. "Mostly what we'd see is a backdoor on the Mac that would try to snoop on you by activating a microphone or keylog strokes, or try to activate a camera."

State-sponsored attackers and governments are looking into Mac exploits and backdoors, says Beek. These actors can afford to develop Mac malware or purchase it online, and they are typically those looking for backdoors to gain access to victims' machines.

Macs are getting more affordable but still pricey, and people who use Macs in the enterprise are more likely to be nation-state targets. Executives, researchers, developers, and system administrators have high levels of access and appeal to actors seeking corporate data.

Beek anticipates we'll see a slight increase in Mac malware in 2018 as Apple continues to improve its security and attackers explore ways to work around it. Reed also expects an increase, particularly with respect to the amount of PUPs populating the App Store.

"Attackers are starting to realize Macs are not invulnerable - they are attackable," says Reed. "So they're trying new things."

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.